Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Azure AD Add, not invite, External User as Member, Not Guest

Tags:

azure-active-directory

When Azure AD finally moved to the new portal, Microsoft quietly took away the button to add an external user (from another Azure AD or a MS account) directly. Now the only option seems to be to invite users as guests and send them an email link. This also denotes them with a UserType of Guest.

This is prohibitive in a B2C or multi-tenant intranet scenario. We can’t have to email invites around to get people added across directories. Adding users via a B2B spreadsheet import doesn’t seem to get them added as a non Guest either.

like image 432
Jeff Avatar asked Mar 06 '23 04:03

Jeff

1 Answers

With the Azure AD B2B invitation options in Microsoft Graph, you can choose whether or not to send the invitation email, and whether to add the user as a Guest or as a Member. The New-AzureADMSInvitation cmdlets from the AzureAD PowerShell module is just a simple wrapper around this API, so the same capabilities are available in PowerShell.

Invite a user as member without sending email

With Microsoft Graph:

POST https://graph.microsoft.com/v1.0/invitations

{
  "invitedUserEmailAddress": "[email protected]",
  "inviteRedirectUrl": "https://example.com",
  "sendInvitationMessage": false,
  "invitedUserType": "Member"
}

With Azure AD PowerShell:

New-AzureADMSInvitation -InvitedUserEmailAddress "[email protected]" `#`
                        -InviteRedirectUrl "https://example.com" `#`
                        -SendInvitationMessage $false `#`
                        -InvitedUserType "Member"

Once the invitation has been created, the user can directly try to sign in to any tenant-specific application they have access to (e.g. https://contoso.sharepoint.com, or https://portal.azure.com/contoso.onmicrosoft.com, or https://yourapp.example.com), using the invited email address as their username.

The first time they do this, Azure AD will automatically detect them as an external user with a pending invitation, and proceed with the required consent prompt to complete the invitation acceptance. Subsequent sign-ins will allow the user to sign in directly. This is described in Add B2B collaboration guest users without an invitation.

like image 136
Philippe Signoret Avatar answered May 12 '23 11:05

Philippe Signoret
Sign in to Comment

Related questions

Azure AD graph api working on local but fails when deployed
Azure Active directory Logout
ASP.NET Core authenticating with Azure Active Directory and persisting custom Claims across requests
ASP.NET Core 2.0 AzureAD Authentication not working
VSTS - unable to git push after connecting to Azure Active Directory
IntuneMAMConfigurator for Intunes iOS sdk configuration
Add users (members) to Azure Active Directory that isn't of a verified domain name in the directory
angular 5 adal.js automatic token renew in load angular twice or more
Handling terms and conditions at Azure AD B2C registration
Whats wrong with my reply-url for AAD auth?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!